Turn on IPv6, get attacked by malware

The amount of IPv6 traffic on the Internet remains small but is growing, and as content providers and end users adopt the new Internet Protocols, malware already is in place to take advantage of them.

“There is malware on the IPv6 Internet today,” said Erik Nygren, chief architect of content delivery company Akamai. “It is very important to make sure that as you turn on IPv6, you have solid security in place.”

The warning comes as federal agencies face a Sept. 30 deadline for enabling IPv6 on public-facing services, and on the eve of World IPv6 Launch Day, when many of the major service providers, equipment vendors and Web companies will permanently enable the new protocols on their networks, hardware and sites.

The launch day is an effort by the Internet Society to draw attention to the need for networks and service providers to permanently enable IPv6 as the pool of available IPv4 addresses dries up. As new users and devices join the Internet in the coming years, growth will increasingly be in the new IPv6 address space. To ensure that users will be able to seamlessly access online resources, legacy systems will have to be able to accept the new packets.

In the federal government, the Office of Management and Budget has required that agencies enable IPv6 on their public facing Web, Domain Name System and e-mail services by the end of fiscal 2012. Internal network elements must be enabled two years after that.

“Our public-sector customers have been leading the way in the IPv6 space,” Nygren said.

Akamai, which provides a distributed global platform for delivering online content for customers that include many federal agencies, can enable IPv6 for Web and DNS services for customers by hosting their content on dual-stack servers that can handle both IPv4 and IPv6. If a request for content hits the Akamai server using IPv6, it will respond using that protocol if the content is available on the server. If the content is not available, it will retrieve it from the agency’s servers using IPv4 and then serve it to the requester using IPv6.

To date, 21 agencies have moved to a dual-stack platform, said Christine Schweikert, Akamai’s public-sector senior engagement manager.

“Our largest public-sector customers have transitioned,” Schweikert said. “One hundred percent of them will be dual-stacked by September. It allows them to meet the 2012 mandate,” and gives them time and resources to devote to the 2014 deadline for enabling IPv6 on internal networks.

Despite the attention being paid to the transition, the volume of IPv6 packets actually traversing the Internet remains small. In May, the amount of traffic accessing IPv6-enabled servers using IPv6 packets was 0.6 percent, Nygren said. But that is a sharp uptick from the 0.2 percent measured in the fall of 2011.

“It is still remarkably small, but it has increased dramatically over the past year,” he said.

Although the government is a leader in enabling IPv6, the growth in its traffic is occurring across the board, with consumer Internet service providers and wireless providers as well as research labs and universities, he said. The impact on IPv6 adoption being made by the explosion of mobile IP devices is illustrated by Verizon Wireless. Data service for its 4G enabled devices is provided via IPv6.

But as website operators make the switch, they should beware.

Nygren said that as soon as websites begin enabling IPv6, they are being attacked with malware using the protocols. Some of the attacks could be just serendipity for the malware creators, because the malware often is built with the same code libraries as operating systems and applications, which already are able to use IPv6. “The malware might start using IPv6 without any input from the author,” Nygren said.

But the developers are not merely relying on luck, he said. “People who make malware often look for the softest targets, and IPv6 is a great opportunity for them,” because many IPv6 platforms have not been hardened.

Although many online attacks continue to exploit familiar vulnerabilities rather than use cutting edge, zero-day exploits, you cannot afford to assume that hackers are not working to stay ahead of the curve, he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.